Cream Finance, a decentralized finance (DeFi) lending platform, was compromised Monday when a hacker used a flaw in the $AMP token contract to launch a flash loan assault, stealing $18.8 million.
The protocol informed the community this morning that the attack cost 418,311,571 AMP and 1,308.09 ETH. AMP supply and borrow have been suspended for the time being. The team has yet to respond to a request for comment on the ongoing investigation’s results or the timetable of when AMP lending would begin.
According to Cream, PeckShield, a blockchain analysis organization, is working on a post-mortem analysis. PeckShield has thus far tweeted some of its findings, but it is unclear whether a formal post-mortem would be published alongside Cream.
The $AMP contract, according to PeckShield, created a reentrancy issue that allowed for a flash loan attack. Because they can re-borrow funds as long as they are returned inside one transaction block, these types of attacks allow hackers to continue borrowing assets with little collateral.
According to PeckShield’s preliminary research, in the case of Cream, the hacker made a flash loan of 500 ETH and put the cash as collateral before borrowing 19 million AMP. They then leveraged the $AMP contract’s reentrancy vulnerability to borrow 355 ETH inside the $AMP transaction before self-liquidating.
The hacker carried out this operation across 17 transactions, culminating in a total loss of cash valued more than $18 million. While it is unknown who the attacker is, PeckShield is keeping an eye on the IP address.
“The monies are still in 0xCE1F….6EDE. We are keeping a close eye on this location for any changes “They stated this in a tweet.
According to Cream, the hack had little effect on other markets.
Though this is the first flash loan assault to target CreamFinance, the protocol was subjected to a domain name hijacking earlier this year. Users were presented with a bogus online gateway designed to deceive them into entering information about their private keys.
Flash loans continue to be a contentious instrument in the DeFi ecosystem. Despite the numerous hacks that have been levied on the tool, some protocol creators continue to emphasize its potential benefits and equalizing qualities.